[MikroTik] user> print Flags: X - disabled 0 ;;; system default user name=admin group=full address=0.0.0.0/0 caller-id="" baud-rate=0 only-one=no max-session-time=0s [MikroTik] user>
Use the add command to add a user to the user database:
[MikroTik] user> add name=joe group=ppp password=j1o2e3 [MikroTik] user> print Flags: X - disabled 0 ;;; system default user name=admin group=full address=0.0.0.0/0 caller-id="" baud-rate=0 only-one=no max-session-time=0s 1 name=joe group=ppp address=0.0.0.0/0 caller-id="" baud-rate=0 only-one=no max-session-time=0s [MikroTik] user>
Argument description:
name - (required) User name. Must start with an alphanumeric character and contain alphanumeric characters, "*", "_", ".", "@".
group - (required) Name of the group the user belongs to. The system default groups are 'full', 'write', 'read', and 'ppp'. See below on how to manage user groups.
password - User password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "*" and "_"
baud-rate - Connection rate limit for PPPoE
caller-id - For PPTP it IP address of the client, for PPPoE it is MAC address of the client
max-session-time - (Only for PPP connections) Maximum session time user can have when logged in
only-one - (yes / no) (Only for PPP connections) If 'yes' user can have only one session at a time
address - Ip address form which the user is allowed to log in. When logging in using PPP, if the remote address is specified in PPP interface settings then this address should match the specified address in order to enable client to log in. Can be in the form address/mask, where 'mask' is the number of bits in the subnet mask.
netmask - Network mask of addresses assigned to the user
Note! User name "*" will be used for PPP as any user.List of active users can be viewed using the /user active print command:
[MikroTik] > /user active print # WHEN NAME ADDRESS VIA 0 apr/19/2001 01:11:04 admin 0.0.0.0 console 1 apr/19/2001 01:12:26 1 0.0.0.0 console [MikroTik] >
When the user has logged on he can change his password using the /password command.
The user is required to enter his/her current password before entering the new password.
When the user logs out and logs in for the next time, the new password must be entered.
User Groups
User group management can be accessed under the /user group menu:
[MikroTik] user group> print 0 ;;; ppp users name=ppp policy=ppp 1 ;;; users with read only permission name=read policy=local telnet ssh reboot read test web 2 ;;; users with write permission name=write policy=local telnet ssh reboot read write test web 3 ;;; users with complete access name=full policy=local telnet ssh ftp reboot read write policy test web [MikroTik] user group>
There are four system groups which cannot be deleted. Use add command to add a user group:
[MikroTik] user group> add name=reboot policy="telnet reboot read" [MikroTik] user group> print 0 ;;; ppp users name=ppp policy=ppp 1 ;;; users with read only permission name=read policy=local telnet ssh reboot read test web 2 ;;; users with write permission name=write policy=local telnet ssh reboot read write test web 3 ;;; users with complete access name=full policy=local telnet ssh ftp reboot read write policy test web 4 name=reboot policy=reboot read telnet [MikroTik] user group>
Here, the argument name is the name of the group, and policy contains the list of policies assigned to the group:
local - User can log on locally via console
telnet - User can log on remotely via telnet
ssh - User can log on remotely via secure shell
ftp - User can log on remotely via ftp and send and retrieve files from the router
reboot - User can reboot the router
read - User can retrieve the configuration
write - User can retrieve and change the configuration
policy - Manage user policies, add and remove user
test - User can run ping, traceroute, bandwidth test
web - user can log on remotely via http (Java Console)
ppp - User can log on using ppp connections to the router (PPP, PPTP, PPPoE)